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O ! Abstract 



Shor's algorithm contains a classical post-processing part for which we aim to create 
an efficient, understandable method aside from continued fractions. 
04 Let r be an unknown positive integer. Assume that with some constant probability 

we obtain random positive integers of the form x = [Nk/r~\ where [•] is either the floor 
or ceiling of the rational number, k is selected uniformly at random from {0, 1, . . . , r — 
^ I 1}, and is a parameter that can be chosen. The problem of recovering r from such 

samples occurs precisely in the classical post-processing part of Shor's algorithm. The 
quantum part (quantum phase estimation) makes it possible to obtain such samples 
^ . where r is the order of some element a G and n is the number to be factored. 

■ Shor showed that the continued fraction algorithm can be used to efficiently recover 

■ r, since if A'^ > 2r^ then k/r appears in lowest terms as one of the convergents of x/N 
due to a standard result on continued fractions. We present here an alternative method 
for recovering r based on the Gauss algorithm for lattice basis reduction, allowing us to 
efficiently find the shortest nonzero vector of a lattice generated by two vectors. Our 

CN ■ method is about as efficient as the method based on continued fractions, yet it is much 

easier to understand all the details of why it works. 



u ' 1 Introduction 



In the classical post-processing part of Shor's algorithm, the task is to recover the unknown 
positive integer r from samples of the form 

r ui 
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where k is selected uniformly at random from {0,1, ... ,r — 1}, and is chosen to be a 
sufficiently large power of 2. These samples are produced by quantum phase estimation. 

Here r denotes the order of some randomly chosen element a of the unit group of 
the residue ring Z„ where n is the number to be factored. The probabilistic reduction of 
integer factorization to order finding shows that when a is chosen randomly, then there is a 
high probability that r is even and gcd(a''/^ — l,n) yields a nontrivial factor of n. This is 
described in [H Subsection 7.3.1]. 

We now briefiy summarize the idea underlying phase estimation. Let U be the uni- 
tary transformation corresponding to the permutation of Z„ defined by j a ■ j, where 
a G Observe that orbit of 1 under this permutation is 1 = a^,a^, . . . ,a^~^, implying 
that U acts as a cyclic shift operator of order r when restricted to the subspace spanned by 
|1), \a), . . . , la^'^). Therefore |1) is a uniform superposition of eigenvectors lipk) with eigen- 
value e^'^'^^l'^ for k = 0, ... ,r — 1. (These correspond to the eigenvectors and eigenvalues 
of the cyclic shift operator of order r when we identify U with its restriction to the above 
subspace and use \j) instead of \a^) to denote the basis vectors of the subspace.) 

The analysis in [H Theorem 7.1.5] shows that if we run quantum phase estimation of U 
in the state |1), then we obtain samples of the form as in ([T]) with with probability greater 
or equal to -3, where k is selected uniformly at random from {0,l,...,r — 1}. The uniform 
distribution over k occurs because |1) is a uniform superposition of the eigenvectors \ipk) 
and, thus, quantum phase estimation behaves as if we had a classical mixture of the {ipk)- 

Let X be an outcome of the form in as ([1]) implying |-^ — ^| < If is greater than or 
equal to 2r^, then k/r in lowest term appears in lowest terms as one of the convergents of the 
continued fraction expansion of x/N. This is a standard result in the theory of continued 
fractions (see [li Theorem 7.17] for a formulation of the results as relevant for the recovery 
problem and [21 Chapter 15 and Theorem 15.9] for a proof). 

We present here here a different method for recovering r. Our method relies on the 
Gauss algorithm for lattice reduction, which makes it possible to efficiently compute shortest 
(nonzero) lattice vectors in lattices generated by two vectors. 



2 Recovering the period with the Gauss algorithm 

Let X and y be two outcomes of the phase estimation algorithm. Assume that both samples 
have the form as given in ([1]) and that the corresponding k and i are coprime. It is relatively 
easy to show that the probability of k and i being coprime is greater than 1/2 (see [3| Lemma 
20] and [1] for a better lower bound). 

Let s be an integer that we fix later. Consider the linearly independent vectors 




and let L = Xx + denote the lattice generated by these two vectors. 



2 



At this stage we only need to know that the Gauss algorithm determines two integers m 
and n such that u = mx + ny is a shortest nonzero vector. This is proved in [51 Section 2] . 
For the sake of completeness, we provide a simplified proof in the next section. 

Theorem 2.1. Let B he an upper hound on the unknown integer r. Set s = 4B^ and choose 
an integer N with N > a/2s. Let x = [N^l and y = [N^~\ he the samples as in (Qp. Assume 
that k and i are coprime. Then, the vector u = {—i)x + ky is the unique (up to multiplication 
hy —1) shortest nonzero vector of L. 

Proof. First, consider the vector 



u 



[—t)x + ky 



The norm of u is bounded from above by 



\u\\2 < W(r-l)2 + (r-l)2+ 2s- 



k 

s{x/N + y/N) 



N 



V 



2 + 14 < 2B 



since k,i < r — 1, r < B, and > \/2s. 

Second, we show that the above vector u is the unique (up to multiplication by —1) 
shortest nonzero vector of L. Assume to the contrary that z = mx + ny is a shortest nonzero 
lattice vector with {m,n) 7^ ±{—k,i). Clearly, we must also have {m,n) 7^ c{—£,k) for all 
integers c with |c| > 2 since in this case z = cu cannot be a shortest nonzero lattice vector. 
This implies that mk + n£ ^ 0. 

We have 



2 2 
m + n + 



X y 



We may assume that VmPTr? < 2B because otherwise z would be longer than u. Writing 
x/N = k/r + and y/r = i/N + with |^^.|, \Q < 1/N, we obtain 



F 2 > 



X y 

ms h ns — 

N N 



m 



k 



> - 



mk + ni 



— m + \n\ 



> 



> 



> - 



V2V m^ + n? 

r N 
s s ^ 

r N 
s s 



2B 



r 

> -> — >2B, 
- 2r - 2B - 



implying that z would be longer than u. 



□ 
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The above theorem shows that we can recover the value k corresponding to x. We need 
the following lemma to show that Nk/x is sufficiently close to the integer r. 



Lemma 2.2. LetCC e [a,b] C [0,1]. Then 



1 1 



<7^IC-C'|. 



Proof. This follows since the function f{() = 1/C is Lipschitz continuous with constant given 
byminc"6M{/'(C")} = l/a'- □ 



We have 



X 1 
Nk r 



1 1 
< < — . 

Nk - N 



We now apply the above lemma with ( = 1/r and ( = x/{Nk) and a = 1/r — 1/N and 
obtain 



Nk 



X 



< 



a?N 



< 1. 



We now see that we have to choose on the order of to obtain an estimate that is 
close to r. 



3 Gauss algorithm 

Let u and v be two arbitrary vectors in and M := maxdl-uH, \\v\\}. We refer to M as the 
length of the basis m, v. We show that the Gauss algorithm makes it possible to determine 
a shortest nonzero vector of the lattice 'Lu + in time that scales polynomially in d and 
log(M). We summarize and simplify the necessary results in |5|, Section 2]. 

To apply the Gauss algorithm to the vectors x and y from the previous section, we have 
to multiply them by to ensure that all entries are integers. The parameter d is equal to 
3 in this case. 

We need two definitions to present and analyze the algorithm. For / G Q, define the 
closest integer to / to be the unique integer m such that / — m G (— |, |]. We denote the 
closest integer to / by [/]. For / G Q, define the sign of / to be +1 if / is nonnegative and 
— 1 otherwise. We denote the sign of / by s{f). 

We start with the basis u and v where we assume that ^u\\ < \\v\\. We replace the vector 
V by the shortest vector u) of the set 

K{v, u) := {w \w = e{v — mu), m E Z,e = ±1} 

that makes an acute angle with u. Note that xi'v, u) is easy to calculate from f = u-v/\\u\\'^. 

We see that / is the solution to the quadratic minimization problem = H-u — /mP 

with respect to /. This yields the optimal value of the concave-up parabola to be / where 
/ G M. However, if we are required to use integer values, we have that [/] G Z gives us the 
shortest norm. Hence the optimal integer m is equal to [/] and e is is equal to s(/ — [/]). 
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REPEAT 

1. IF llMp > ll'wp, exchange m and v; 

2. V := xiv,u); 

UNTIL \\uf < \\vf. 
The following result describes the output configuration: 

Lemma 3.1 (Shortest lattice vector). Given an arbitrary basis u,v of a lattice L in if- , the 
Gauss algorithm outputs a shortest nonzero vector o/L|^ 

Proof. The output configuration u, v satisfies the two conditions 

ll^lP ^ l^lP and < M ■ {7 < 

The first condition corresponds directly to the criterion in the UNTIL statement. The second 
condition is seen as follows. By definition of the vector x{v,u) in step 2 we have 



< n ■ x{v, u) ' " ^ 



U ■ V 



\u\\\ 



Clearly, the absolute value of the term in the round parenthesis is at most |, which implies 
the second condition. 

We now show that the length of the projection of v orthogonally to u is greater than 
^||?2||. Express v as 

u ■ V ^ 

u + t, 



where t is orthogonal to u. Then ||t7p < + since the scalar in front of u in the 

above expression is in [0, |]. Because WuW^ < WvW^, we have > ^HmH as claimed. 

We are now ready to show that m is a shortest lattice vector. Consider vectors of the 
form 

Pv + au with /3 = ±1 and a G Z. 

Any such vector has length at least \\v\\ > WuW due to the choice of v := x{'V,u) in step 
2. Recall that the parameter m is always chosen so that the length of the resulting vector 
x{v,u) is minimal. Hence any subsequent addition of an integer multiple of u to x{'v,u) 
cannot decrease the length. 
Consider vectors of the form 

f3v + au with > 2 and a G Z. 

Any such vector has length at least \(3\\\t\\ > 2^||'u|| > \\u\\. 

The only vectors not covered by the previous two cases are multiples of u. □ 



^It can be shown that the two vectors output by the Gauss algorithm are the two successive minima of 
L. But we do not need this stronger resuh. 
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To analyze the complexity of the Gauss algorithm we now describe a modified algorithm 

that depends on a parameter t, which is strictly greater than 1. The new algorithm is called 
the Gauss(t) algorithm, and is equivalent to the Gauss algorithm for t = 1. In Gauss(t), the 
original loop termination condition 

ll^ll^ < ll"^!!^ 

is replaced by 

\\uf < e \\vf. (2) 

The polynomial time complexity of Gauss(t) is clear. In each loop, the length of the longer 

vector is decreased by a factor of at least 1/t and the length of any nonzero vector of L C Z*^ 
is at least 1. We obtain an upper bound on the number kt of iterations of this algorithm 
executed on a basis of length M: 

h< riog,(M)i. 

Lemma 3.2. Let k and kt denote the number of iterations of the Gauss algorithm and the 
Gauss{t) algorithm when applied to the same basis u,v of a lattice L. For any t < the 
two numbers kt and k satisfy 

kt<k<kt + l. 

Proof The inequality k^ < k is clear. To prove the upper bound consider the last loop of 
the Gauss(i) algorithm. Its output configuration satisfies the two conditions 

0<u-v<^\\uf and H^f < t^lj-yH^ 

If ll-up < holds, then this is also the last loop of the Gauss algorithm. So assume that 
II -up > II p. In this case the Gauss algorithm proceeds by exchanging u and v. We denote 
the configuration after this step by u' = v and v' = u. 

ll~*llO ll~*llO 

We have \\u'\\ < \\v'\\ and 



Q ^ ■ t;' u' ■ v' ll'w'lP V ■ u IImIP ^ ^ 3 
~ IIm'P ~ ll^/p ' \\u'f ~ NF ' MF " 2 -2' 

The second inequality implies that there are only two cases we need to consider for the new 
vector in step two of the Gauss algorithm, which are either v' or ±{v' — u'). If the 

first case, the Gauss algorithm stops because u' is still shorter than the new vector. In the 
second case, we have 

jp' — w'jj = jji? — ■ujj = jjv — ■ujj > jjvjj = jp'll- 

The inequality is due the particular choice of the vector v in step two of the Gauss (t) 
algorithm. Recall that any subsequent addition of a multiple of u cannot decrease its length. 
Hence the Gauss algorithm also terminates in the second case. 

□ 

Corollary 3.3. The number of iterations k of the Gauss algorithm executed on a basis of 
length M satisfies 

k < \log^,{M)] + 1. 
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